PIPEDA's New Privacy Consent Guidelines- How to "Beef Up" Your Privacy Policies
Current Legislation for Protection of Personal Information
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is Canada’s privacy legislation. The objective of PIPEDA is to establish parameters to govern the collection, use and disclosure of personal information in a commercial context in a manner that recognizes privacy rights of individuals in respect of their personal information in a way that balances the needs of organizations to collect, use and disclose personal information in reasonable ways.
When does PIPEDA apply? PIPEDA applies to an “organization” when it collects, uses or discloses “personal information” in the course of conducting “commercial activities”. For clarity, an “organization” includes an association, partnership, person and a trading name. “Personal information” means information about an identifiable individual. This in essence means that where the identity of a person can be ascertained from the information, that information will be deemed to be personal information for the purposes of PIPEDA. A “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character.
PIPEDA creates standards for the use and disclosure of personal information. PIPEDA is based on the twin principles of notice and consent. The collection and use of personal information is only permitted when people are aware that such information is being collected and when they give their informed consent.
While PIPEDA arguably does not directly apply to Condominiums, such a conclusion fails to recognize that the provisions of PIPEDA do apply to organizations that serve condominiums such as property management and security personnel, which are often the ones collecting and handling personal information. Thus, PIPEDA can assist a Condominium with the creation of “best practices” regarding the privacy of unit owners and others; while also being integrated into contracts with suppliers to manage risk exposure.
Condominiums are subject to the Condominium Act, 1998 (the “Act”), together with each individual Condominium’s declaration, by-laws, and rules regarding the collection, storage, use and disclosure of personal information and/or records. Condominiums currently maintain the right to collect and use personal information from owners and occupants when required to fulfill the objects and duties of the Condominium, and shall only use this information for the purposes of the Act. The Act specifically sets out the type of information that Condominiums must collect, for what stated purpose, and for how long such information must be retained.
New Privacy Consent Guidelines
The seven guiding principles are as follows:
- Emphasize key elements
Organizations must provide information about their privacy management practices in a form that is readily accessible to individuals who wish to read it; however, due to lack of time and energy, most individuals do not want to read the full policy. To receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions upfront.
For this reason, organizations generally emphasize the following key elements:
- What personal information is being collected?
This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to.
- With which parties is personal information being shared?
Disclosures to third parties must be clearly explained, along with the type of information being shared.
- For what purpose(s) is personal information being collected, used or disclosed?
Purposes must be described in meaningful language and should not be vague. Purposes integral to the provision of the service should be distinguished from those that are not. Organizations should highlight any non-obvious purposes.
- Risk of harm and other consequences
Under PIPEDA, for consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consenting – one of these consequences is risk of harm, specifically, residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms.
If there is a meaningful risk (i.e. one that falls below the balance of probabilities) that a residual risk will materialize and will be significant, individuals must be notified; otherwise, no notification is necessary.
There is currently no prescribed form in which these elements should be highlighted – organizations are encouraged to adopt standardized mechanisms. The purpose is to make it abundantly clear to individuals when their information is being collected and then provide them with the details upon further inquiry.
- Allow individuals to control the level of detail they get and when
Information must be provided to individuals in manageable and easily-accessible ways and individuals should be able to control how much more detail they wish to obtain, and when. The level of detail required to make a consent decision will vary by individual and by situation. Presenting information in a layered format or by some method that allows for user-control over the level of detail provided is helpful to individuals.
- Provide individuals with clear options to say ‘yes’ or ‘no’
Individuals should only be required to consent to the collection, use or disclosure of personal information that is necessary for the product or service. Individuals should be given a choice (i.e. ‘opt-in’ or ‘opt-out’), unless the collection, use or disclosure of information is a “condition of service” (i.e. is integral to the provision of the product or service).
In the case of surveillance cameras, the use of cameras, if implemented, are considered necessary by the Condominium (and perhaps a majority of owners) for the safety and security of the property and the owners/residents. The footage should only be used for security purposes. If the Condominium wishes to exceed the scope of intended purpose, they will need to get consent from the person whose privacy is being invaded, unless disclosure falls under an exception.
- Be innovative and creative
- Consider the consumer’s perspective
- Make consent a dynamic and ongoing process
Organizations should provide some interactive and dynamic way to anticipate and answer users’ questions if the information provided is not clear or gives rise to follow-up questions, for example, regularly updating FAQs.
- Be accountable: Stand ready to demonstrate compliance
In addition to the aforementioned principles, organizations should also consider the appropriate form of consent. Consent should generally be express, but can be implied in certain circumstances, such as collecting a debt owed by the individual to the organization; when required to comply with a subpoena, warrant or order made by a court; or when required by law, such as the requirements under the Act. Express consent should be obtained when the information being collected, used, or disclosed is sensitive, outside of the reasonable expectations of the individual, and/or creates a meaningful residual risk of significant harm.
The guidelines urge organizations to keep the following in mind when designing a consent process: (i) information collection should be limited to purposes that a reasonable person would consider appropriate in the circumstances; (ii) individuals have the right to withdraw consent, subject to legal or contractual restrictions; and (iii) consent does not waive an organization’s obligations under privacy laws or under the Act.
 Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
 Condominium Act, 1998, SO 1998, c. 19.
All of the information contained in this article is of a general nature for informational purposes only, and is not intended to represent the definitive opinion of the firm of Elia Associates on any particular matter. Although every effort is made to ensure that the information contained in this newsletter is accurate and up-to-date, the reader should not act upon it without obtaining appropriate professional advice and assistance.
© Elia Associates Professional Corporation, All Rights Reserved.